Parallel

Virtualization Lifecycle Management

With us today is Embotic's David Lynch. Embotic is a company that focuses on virtualization lifecycle management.

DDJ: David, there has been a lot of talk about the new security threats introduced by server virtualization. Which ones (if any) should we be concerned about?

DL: There are a number of foreseeable threats associated with server virtualization that should be considered as organizations increase their virtualization deployments; some are potentials, while others are with us today.

The virtualization layer is, to all intents and purposes, a new (and relatively immature), operating system in the datacenter; providing an additional potential point of attack that needs to be protected.

The hypervisor is an obvious target for attacks given its contact with multiple virtual machines (VMs), but there is also the possibility of intrahost threats, including guest-to-guest attacks. Today, the isolation provided by the VM container prevents this method of attack, but this isolation is already cracking a little and is the focus of a lot of "black-and-white hat" research. Most security experts agree that we will see a successful attack here within the next 12 to 18 months.

These potential issues can easily turn into real issues requiring consideration and action. But there are also security issues that are with us today, and need to be addressed now.

The biggest one in my mind is the increased threat of sprawl in the virtual space.

There is a significant difference between physical and virtual machines when it comes to management and control, and the existing management platforms supplied by the virtualization vendors tend to focus more on deployment than control. The ease of deployment combined with the lack of effective VM management and automation tools results in a great deal of manual work for most administrators -- and manual activity is more prone to error. A datacenter that is not in complete control is open to security violations.

The overall message is that the technology here is still very immature, and while there are many advantages -- security issues need to be addressed before they are completely adopted in the data center.

DDJ: Why is security compliance across virtualized infrastructures so difficult?

DL: Compliance in general is a challenge with server virtualization. The biggest issues are a combination of the fundamental differences between physical and virtual servers and the issues these create for management and audit systems.

Server identity tends to be associated with some level of physicality whether it is a rack and row number, or some element of the hardware for example. When you create multiple instances of the same server it can be something of a challenge to track, or even in some cases hard to identify every instance of that server out there.

Mobility is another challenge. According to Gartner, most large datacenters are using load balancing tools like V-Motion.Using these tools as load balancers enable you to restrict where specific VMs can travel. But these tools tend to be used more for planned downtime than actual product load balancing, which means that the movement of your VMs may be more manual than you think.

Today, most auditors have not woken up to the fact that virtual servers are different from physical ones. But, they will. And when they do, the ability to demonstrate control over the mobility of all instances of a VM will become an absolute necessity. To satisfy most auditors you will have to show where all instances of a specific VM has been -- throughout their lifecycle.

The isolation provided by the VM container today can be interpreted to mean that it does not matter what hardware the VM has run on, as it is effectively isolated. But this will only last as long as the isolation lasts. The first time a "guest break-out" occurs (and this has already been demonstrated in the lab), this audit requirement will change -- quickly.

It makes more sense to allow for this in your virtualization planning and implement control measures today, rather than have to scramble later.

DDJ: Embotics provides free of charge a tool called "V-Scout." Can you tell us about it? Why is a tool like this useful?

DL: Pretty much every administrator compensates for some of the reporting shortcomings of virtual server environments by maintaining some form of manual VM tracking system. Usually this takes the form of a spreadsheet, although I have seen whiteboards and stickies used as well.

Manual systems have a couple of significant drawbacks. First, they take time and effort to maintain, and if they ever get out of sync with the actual environment, they can take a great deal of effort to realign. Second, as with any manual system, they are prone to error and difficult to audit.

V-Scout is an absolutely free product, available for download off the Embotics website that replaces this tracking spreadsheet. It automats the data collection and provides consistent and effective reporting - a way to track and report on VMs that eliminates today's manual effort.

V-Scout provides administrators with a tool that will save them time and simplify that part of their day that is otherwise reserved for tracking and reporting on VMs. The product links in real time to up to two VMware VirtualCenters, automatically providing real time VM data together with a series of canned reports, an ad-hoc reporting system to answer custom questions, user-defined attributes for custom VM data and finally, VM cost trending information.

It has an additional useful side effect; it can provide management with access to all the data they need on the virtual environment without the need to have them access VMwares VirtualCenter directly.

V-Scout is complementary to Embotics' flagship product, V-Commander, an effective, policy-based management and control system for virtual machines that prevents virtual sprawl. Organizations can use V-Scout, free of charge, to understand and assess their growing virtualization deployments, and gain better control over their infrastructure.

DDJ: Is there a website readers can go to for more information on these topics?

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task.
However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Video

This month's Dr. Dobb's Journal

This month,
Dr. Dobb's Journal is devoted to mobile programming. We introduce you to Apple's new Swift programming language, discuss the perils of being the third-most-popular mobile platform, revisit SQLite on Android
, and much more!